b'Federal Information Security Management\nAct: Fiscal Year 2013 Evaluation\n\n\n\n\n                                   March 31, 2014\n                                   Report No. 522\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                                             OFFICE OF INSPECTOR GENERAL\n\n\n\nExecutive Summary                                Federal Information Security Management Act:\n                                                 Fiscal Year 2013 Evaluation\n                                                 Report No. 522\n                                                 March 31, 2014\n\n Why We Did This Evaluation                What We Found\n The Federal Information Security          To assess the SEC\xe2\x80\x99s security controls over its information systems\n Management Act (FISMA) provides a         and information security posture, we reviewed the security\n comprehensive framework to ensure         assessment packages for seven of the SEC\xe2\x80\x99s major information\n the effectiveness of security controls    systems (five internally hosted systems and two externally hosted\n over information resources that           systems). The scope of the review consisted of the following 11\n support Federal operations and            areas specified in OMB\xe2\x80\x99s fiscal year 2013 FISMA reporting\n assets. FISMA also requires agency        instructions:\n Inspectors General to annually\n assess the effectiveness of agency            1.    continuous monitoring management;\n information security programs and             2.    configuration management;\n practices and report the results to the\n                                               3.    identity and access management;\n Office of Management and Budget\n (OMB). The overall objective of the           4.    incident response and reporting;\n fiscal year 2013 FISMA evaluation             5.    risk management;\n was to assess the U.S. Securities and         6.    security training;\n Exchange Commission\xe2\x80\x99s (SEC)\n                                               7.    plan of action and milestones;\n information systems and information\n security posture. The Office of               8.    remote access management;\n Inspector General contracted the              9.    contingency planning;\n services of Networking Institute of           10.   contractor systems; and\n Technology, Inc. (referred to as \xe2\x80\x9cwe\xe2\x80\x9d\n                                               11.   security capital planning.\n in this executive summary) to conduct\n the evaluation.\n                                           Overall, we found several areas in which the SEC has implemented\n                                           improved controls over its information security. For example, the\n What We Recommended                       Office of Information Technology (OIT) has made significant progress\n To strengthen the SEC\xe2\x80\x99s controls          establishing (1) a risk management program; (2) an incident response\n over information security, we             and reporting program; and (3) an enterprise-wide business continuity\n reiterated that the OIT should take       and disaster recovery program, consistent with FISMA requirements\n immediate action to address the           and OMB and National Institute of Standards and Technology\n outstanding recommendations from          guidelines. The OIT has also established a plan of action and\n the fiscal year 2011 and 2012 FISMA       milestones program and properly tailors its baseline control list in\n reports. We also made nine new            compliance with Federal guidance. Finally, the SEC provided, to its\n recommendations for corrective            personnel, security awareness and role-based security training and\n action. In response to a draft of this    has established an information security capital planning and\n report, SEC management concurred          investment program.\n with eight of the nine\n recommendations and nonconcurred          However, we found that the OIT had not taken corrective action on\n with one recommendation.                  some issues identified during the fiscal year 2011 and 2012 FISMA\n Management described corrective           evaluations. We also found that the agency needs to enhance its\n actions that they plan to take.           efforts regarding contractor systems, multi-factor authentication, user\n Because this report contains sensitive    accounts, and configuration management.\n information about the SEC\xe2\x80\x99s\n information security program, we are\n not releasing it publicly.\n                                            For additional information, contact the Office of Inspector General at\n                                            (202) 551-6061 or visit www.sec.gov/about/offices/inspector_general.shtml.\n\x0cU.S. SECURITIES AND EXCHANGE COMMISSION                          OFFICE OF INSPECTOR GENERAL\n\n\n    To Report Fraud, Waste, or Abuse, Please Contact:\n       Web:               www.reportlineweb.com/sec_oig\n\n       E-mail:            oig@sec.gov\n\n       Telephone:         (877) 442-0854\n\n       Fax:               (202) 772-9265\n\n       Address:           U.S. Securities and Exchange Commission\n                          Office of Inspector General\n                          100 F Street, N.E.\n                          Washington, DC 20549-2736\n\n\n    Comments and Suggestions\n       If you wish to comment on the quality or usefulness of this executive summary or\n       suggest ideas for future audits, please contact Rebecca Sharek, Deputy Inspector\n       General for Audits, Evaluations, and Special Projects at sharekr@sec.gov or call\n       (202) 551-6083. Comments, suggestions, and requests can also be mailed to the\n       attention of the Deputy Inspector General for Audits, Evaluations, and Special\n       Projects at the address listed above.\n\x0c'